1.5 million credit cards “exported” in hack of payments processor

About 1.5 million credit card holders were affected by the breach hitting …

The network intrusion that hit Global Payments was confined to its North American operations and "exported" data for about 1.5 million holders, the credit card payments processor said Sunday evening. Atlanta-based Global Payments didn't say what it meant by the term "export" nor did they say how many accounts were actually exposed by the breach.

The exported information included Track 2 data. Cardholder names, addresses, and social security numbers were out of reach of the attackers, the statement added. It went on to say the breach has been contained and investigators are "making rapid progress toward bringing this issue to a close."

"The company continues to work with industry third parties, regulators, and law enforcement to assist in the efforts to minimize potential cardholder impact," a Global Payments statement read. "It has engaged multiple information security and forensics firms to investigate and address this issue."

Update: In a conference call on the morning of April 2, Global Payments CEO Paul Garcia revealed that Visa has dropped the company from its registry of providers that meet the PCI credit card processing security standards. Global Payments continues to process transactions for Visa, but Garcia said that Visa's move could give those doing business with his company "some pause that they're doing business with someone who experienced a breach."

Garcia reiterated the company's statement that the breach—which he characterized as an "unauthorized access"— had been "absolutely contained," and said that he expects Visa will reinstate Global Payments to its registry once the company demonstrates it is in PCI compliance. He stated that no point-of-sale systems were compromised in the breach, and that only Track 2 data from credit cards was exposed—meaning that the data could not be used to create new credit cards or make fraudulent payments online.

The breach itself was limited to a "handful" of servers in Global Payments' payment processing center, and did not involve any other parthers, Garcia said. The company has set up a website to provide information to consumers about the breach at www.2012infosecurityupdate.com.

Garcia told call participants that the company is working to quickly regain its PCI report of compliance, but added that the breach investigation is still ongoing. "This is still somewhat nascent," he said. "It was self-reported and self-discovered—we found this and reported it within hours—but there are parts of this that we still need to button up." He added that the company is continuing to look at all its servers with forensics experts to ensure that there were no further breaches.

30 Reader Comments

I'd really like a list of the retailers that use Global Payments. Partially to see if I'm at risk, partially just morbid curiosity. Should everyone in the god damn country just change their card numbers at this point?

I'm curious what this conference call is going to say (aside from "we deeply regret," "we are taking this very seriously," and other half-hearted apologies).

I'd really like a list of the retailers that use Global Payments. Partially to see if I'm at risk, partially just morbid curiosity. Should everyone in the god damn country just change their card numbers at this point?

according to wikipedia, global payments inc serves over 1.5 million merchant locations, so ... yeah

I'd really like a list of the retailers that use Global Payments. Partially to see if I'm at risk, partially just morbid curiosity. Should everyone in the god damn country just change their card numbers at this point?

according to wikipedia, global payments inc serves over 1.5 million merchant locations, so ... yeah

Before I graduated I worked for a IT department for my College (about a year ago), we had to support Credit card machines like the <a href="http://www.staples.com/Verifone-VX570-Credit-Card-Terminal/product_757798">Verifone VX570</a> that Global Payments supplied to us, anytime one of these machines would have a issue we would have to call Global and go threw there support, the issue is they did little verification as to if we were really were the "Customer", You would call up give them your customer number and they would almost do anything with out asking any question including giving out passwords to get into the machine and change very sensitive settings... The fact they had this kind of breach doesn't surprise me... By the way the kicker is they put a sticker on every terminal you got with your customer number right in plane sight....

Why would a payment processor have social security numbers? Or addresses for that matter?

Don't know about US but if we buy something through credit card processor, we have to give address and something called the card security number. The processor would have to have my address and the security number stored on their server to verify me.

Why would a payment processor have social security numbers? Or addresses for that matter?

Addresses are needed to verify the card info.

Social security numbers aren't, but since they are used for credit reporting (in the US), the banks issuing the credit cards have them. It wouldn't surprise me if they were just part of a dataset that gets requested by payment processors, and the processors are going to grab & store whatever they can get. The better to compile your dossier so it can be resold to marketers!

"Cardholder names, addresses, and social security numbers were out of reach of the attackers, the statement added"

I thought they had also exposed track 1 data, which does contain the card holder name (normally as it appears on the card). It will be interesting to see what other internal databases were accessed and "exported".

"Cardholder names, addresses, and social security numbers were out of reach of the attackers, the statement added"

I thought they had also exposed track 1 data, which does contain the card holder name (normally as it appears on the card). It will be interesting to see what other internal databases were accessed and "exported".

The question is why the hell would this company have this information anyway? Unless they are sending out the monthly bills for that brand of CC? Then the second question begs, why do they even have the social security number on hand. The 3rd question is why all this data wasn't encrypted in the first place.

While, network and data security is an ever-evolving thingie, andWhile, there is not yet really an unsinkable ship, but rather best practices,Nonetheless, I find it to be inexcusable and absolutely fucking outrageous when firms like this attempt to minimize the situation:-The breach was an "unauthorized access" which has been "absolutely contained", "only Track 2 data from credit cards was exposed", consisting of an "export of data". The breach was limited to a "handful" of servers and did not involve any other partners. "This is still somewhat nascent. [..] It was self-reported and self-discovered—we found this and reported it within hours—but there are parts of this that we still need to button up."

When a CEO hedges and minces and parses like this, it makes them sound like they don't take the incident seriously at all. Customers and firms trusted you and you screwed up, how about you treat that like you SCREWED UP and not misplaced a disposable ball point pen?

The costs of data security needs to be made significantly less than the costs of 'unauthorized exports".

Before I graduated I worked for a IT department for my College (about a year ago), we had to support Credit card machines like the [...] that Global Payments supplied to us, anytime one of these machines would have a issue we would have to call Global and go threw there support, the issue is they did little verification as to if we were really were the "Customer", You would call up give them your customer number and they would almost do anything with out asking any question including giving out passwords to get into the machine and change very sensitive settings... The fact they had this kind of breach doesn't surprise me... By the way the kicker is they put a sticker on every terminal you got with your customer number right in plane sight....

I used to have a shop where we ran credit cards. I can't remember if we used Global Payments or not, but it's possible -- this was more than a few years back. We just used whoever our bank referred us to, after making sure they were PCI.

In any case, the customer number, which was supposed to be secret, was printed on the bottom of the reader. With that, I or any of my employees, could call them up and do most anything without any real verification -- I don't think they would even confirm the company name. I'm pretty sure we had to do some over-the-phone payments periodically because of connection issues, and all they ever wanted then was that customer number. That aspect of it always bothered me.

"Cardholder names, addresses, and social security numbers were out of reach of the attackers, the statement added"

I thought they had also exposed track 1 data, which does contain the card holder name (normally as it appears on the card). It will be interesting to see what other internal databases were accessed and "exported".

A very nice "card services" lady at my credit union just told me they had already notified (and issued new cards to) all affected members. Since I haven't been notified, I must be safe, because absence of evidence is evidence of absence, right?

Ok, so they only know of track 2 data being stolen. It sounds like that's all that's needed to run a transaction impersonating a POS device according to the wikipedia entry (yeah, not the best source).

"Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks."

The list would be completely, absurdly humungous. You know the little cardswipe boxes that sit next to cash registers and use a modem to dial up? A bunch of those dial into modem pools run by Global. Any random little gas station, taco stand, or taxi might end up on the list.

(I know because I was the primary developer for http://en.wikipedia.org/wiki/CCVS and I implemented at least one of their dialup protocols myself, by hand. A random merchant account you get from a local bank might end up being backed by Global.)

I know, that's why the "morbid curiosity" part was there. Maybe "for a sobering look at how many people are exposed when one company they've never heard of is breached" would have been a better phrase.

Before I graduated I worked for a IT department for my College (about a year ago), we had to support Credit card machines like the [...] that Global Payments supplied to us, anytime one of these machines would have a issue we would have to call Global and go threw there support, the issue is they did little verification as to if we were really were the "Customer", You would call up give them your customer number and they would almost do anything with out asking any question including giving out passwords to get into the machine and change very sensitive settings... The fact they had this kind of breach doesn't surprise me... By the way the kicker is they put a sticker on every terminal you got with your customer number right in plane sight....

I used to have a shop where we ran credit cards. I can't remember if we used Global Payments or not, but it's possible -- this was more than a few years back. We just used whoever our bank referred us to, after making sure they were PCI.

In any case, the customer number, which was supposed to be secret, was printed on the bottom of the reader. With that, I or any of my employees, could call them up and do most anything without any real verification -- I don't think they would even confirm the company name. I'm pretty sure we had to do some over-the-phone payments periodically because of connection issues, and all they ever wanted then was that customer number. That aspect of it always bothered me.

Now multiply that by 30 card readers across a campus of 25,000 students, with almost all of them being operated by student workers being payed minimum wage (I was student worker myself but was paid a bit more for being IT) almost all of them in campus dinning which had new faces working for them almost ever semester, now we have a nightmare waiting to happen. I'm not sure what was worse Global's lack of verification or my University's lack of concern to me screaming bloody murder about lack of physical security around the card readers and Global's lack of verification...